Test Day:2010-10-14 OpenLDAP/NSS

From FedoraProject

Can't make the date? If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test OpenLDAP server and as many programs using OpenLDAP libraries (libldap) as possible.

We recommend the testing to be done in virtual machine, using a Fedora 14 network install as installation medium. Boot and installation images are available (i386, x86_64)

If you want to download Live medium, we have two LiveCDs available for you here.
These images contain LiveCDs with shortcuts to IRC and this wiki page. They also have all Priority 1 programs pre-installed in case you want to test one of them.

For read-write access use bind name cn=Tester,dc=silver,dc=testday and password openldap. Subtree ou=free,dc=base,dc=testday is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.)

(read-write access is now set up for openldap02 - use the cn=Tester user)

Choose one of applications in the list above and mark it on this page by adding your name into "Taken by" column. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the TLS options used. The table lists some features which are supported by ldap.conf file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.

Use the -H command line option to have slapd listen for LDAPS requests (e.g. slapd -H ldaps://hostname ....)

Config option

Description

Example

olcTLSCACertificateFile

Full path and filename of file containing CA certificates to use

/etc/pki/tls/certs/ca-bundle.crt

olcTLSCACertificatePath

Full path name of directory containing CA certificates in separate files

/etc/openldap/cacerts

olcTLSCertificateFile

Full path name and file name of server cert file

/home/user/myusercert.pem

olcTLSCertificateKeyFile

Full path name and file name of server private key file - must be unencrypted

/home/user/myuserkey.pem

olcTLSCipherSuite

Specifies TLS cipher suites to use

HIGH:MEDIUM:+SSLv3

olcTLSVerifyClient

Specifies what checks to perform on incoming client certs

demand

For OpenLDAP server, we also need to test server-to-server interactions that use TLS. For example, test replication from a server using Mozilla NSS to another server using OpenSSL using LDAPS or StartTLS. Try a back-ldap or back-meta configuration using TLS/SSL.

After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please add a mark into "Notes" column in package list:

pass

in case everything was ok

warn

in case there was probably something wrong

fail

in case the test failed

In the latter two cases a description of what went wrong should be available in Test Results section below.

Many applications uses libldap settingThis describes how to setup trusted certificate authorities. Server certificates signed by these will be accepted. If you want to do testing with our testday servers, you will have to add at least our CA certificate.

There are more possibilities of configuring trusted CAs. The easiest way is probably using TLS_CACERTDIR directory (/etc/openldap/cacerts in this example) with certificate files in PEM format.
You can do it your way - may the force (man ldap.conf) be with you. Directory with MozNSS cert database, and one bundle CA file are supported as well.

Usual mistakesDo not leave any empty lines in OpenLDAP server configuration files (everything in /etc/openldap/slapd.d).
No olcTLS* option must be the last line in your database configuration or your server will not start (bug #641946), possible workaround is adding one extra line with comment (starting #).

After you are finished testing, please file a testing report below. The first report can
be used as an example how it should look like. If you encounter any issue, please first
consult it on IRC. If it will be verified as a bug, file a bugzilla against openldap
component and add a note about it to your report.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.